Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2023, 22:24
Static task
static1
Behavioral task
behavioral1
Sample
aa49aa75bc754c85e6f63daddbd50b31f7c1a545d304c73b5cb297f16d9e323c.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
aa49aa75bc754c85e6f63daddbd50b31f7c1a545d304c73b5cb297f16d9e323c.exe
Resource
win10v2004-20230915-en
General
-
Target
aa49aa75bc754c85e6f63daddbd50b31f7c1a545d304c73b5cb297f16d9e323c.exe
-
Size
929KB
-
MD5
78ca7e8b46ee79803b25186fce5d90d8
-
SHA1
11a847c3d8991603eb1c6e9ea05f3a569eba119f
-
SHA256
aa49aa75bc754c85e6f63daddbd50b31f7c1a545d304c73b5cb297f16d9e323c
-
SHA512
1642dfd2b78ba46f76119f526436f2c6a24208a21128f7cd0f586cee0f1b8e2a3cf9b3e4b044776d602d299e92fef583bb8b0ce274142e0163c2be9aa5e392a6
-
SSDEEP
12288:mMrCy90rVZDGHW8433uN/JXpxEH30EZEox/j8fqFD/MX5dq6r0vcOzdXX:4ysCr433u/z6ENox//FDMX3qcOzNX
Malware Config
Extracted
redline
luska
77.91.124.55:19071
-
auth_value
a6797888f51a88afbfd8854a79ac9357
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral2/memory/4856-28-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4856-29-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4856-30-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4856-32-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 532 x8358276.exe 4980 x1516394.exe 1332 x2500597.exe 4196 g9759617.exe 756 h9706762.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x1516394.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x2500597.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" aa49aa75bc754c85e6f63daddbd50b31f7c1a545d304c73b5cb297f16d9e323c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x8358276.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4196 set thread context of 4856 4196 g9759617.exe 89 -
Program crash 2 IoCs
pid pid_target Process procid_target 1888 4196 WerFault.exe 86 4764 4856 WerFault.exe 89 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1196 wrote to memory of 532 1196 aa49aa75bc754c85e6f63daddbd50b31f7c1a545d304c73b5cb297f16d9e323c.exe 83 PID 1196 wrote to memory of 532 1196 aa49aa75bc754c85e6f63daddbd50b31f7c1a545d304c73b5cb297f16d9e323c.exe 83 PID 1196 wrote to memory of 532 1196 aa49aa75bc754c85e6f63daddbd50b31f7c1a545d304c73b5cb297f16d9e323c.exe 83 PID 532 wrote to memory of 4980 532 x8358276.exe 84 PID 532 wrote to memory of 4980 532 x8358276.exe 84 PID 532 wrote to memory of 4980 532 x8358276.exe 84 PID 4980 wrote to memory of 1332 4980 x1516394.exe 85 PID 4980 wrote to memory of 1332 4980 x1516394.exe 85 PID 4980 wrote to memory of 1332 4980 x1516394.exe 85 PID 1332 wrote to memory of 4196 1332 x2500597.exe 86 PID 1332 wrote to memory of 4196 1332 x2500597.exe 86 PID 1332 wrote to memory of 4196 1332 x2500597.exe 86 PID 4196 wrote to memory of 4856 4196 g9759617.exe 89 PID 4196 wrote to memory of 4856 4196 g9759617.exe 89 PID 4196 wrote to memory of 4856 4196 g9759617.exe 89 PID 4196 wrote to memory of 4856 4196 g9759617.exe 89 PID 4196 wrote to memory of 4856 4196 g9759617.exe 89 PID 4196 wrote to memory of 4856 4196 g9759617.exe 89 PID 4196 wrote to memory of 4856 4196 g9759617.exe 89 PID 4196 wrote to memory of 4856 4196 g9759617.exe 89 PID 4196 wrote to memory of 4856 4196 g9759617.exe 89 PID 4196 wrote to memory of 4856 4196 g9759617.exe 89 PID 1332 wrote to memory of 756 1332 x2500597.exe 97 PID 1332 wrote to memory of 756 1332 x2500597.exe 97 PID 1332 wrote to memory of 756 1332 x2500597.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa49aa75bc754c85e6f63daddbd50b31f7c1a545d304c73b5cb297f16d9e323c.exe"C:\Users\Admin\AppData\Local\Temp\aa49aa75bc754c85e6f63daddbd50b31f7c1a545d304c73b5cb297f16d9e323c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8358276.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8358276.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1516394.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1516394.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2500597.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2500597.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9759617.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9759617.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:4856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 5567⤵
- Program crash
PID:4764
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 1566⤵
- Program crash
PID:1888
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9706762.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9706762.exe5⤵
- Executes dropped EXE
PID:756
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4856 -ip 48561⤵PID:4032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4196 -ip 41961⤵PID:1724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD5fba43d9e77e1f4e64be9e58893d299aa
SHA18565a2dd28ae2b08c06055ee0af3b661198a878b
SHA2568cb4805eb32b25d8a1f7c529eda9119470cb17e52a491cbbd75b3934a012bf31
SHA512116b2cd4b8be5b70011fc2df2487adcae6d32c49da632d73f134b1417ed76962bbf20433308c873fe9e3f56491974c74eea37d3efaa9111a9694c42feb71514f
-
Filesize
827KB
MD5fba43d9e77e1f4e64be9e58893d299aa
SHA18565a2dd28ae2b08c06055ee0af3b661198a878b
SHA2568cb4805eb32b25d8a1f7c529eda9119470cb17e52a491cbbd75b3934a012bf31
SHA512116b2cd4b8be5b70011fc2df2487adcae6d32c49da632d73f134b1417ed76962bbf20433308c873fe9e3f56491974c74eea37d3efaa9111a9694c42feb71514f
-
Filesize
555KB
MD5494e82d5f7b6c35fadff449467c189f6
SHA10e815dba3e0f4e2a0b02ae31ea1110b585ab9383
SHA256a67bdbab80d246d6785435a60e68fd94327c0f40013b52f35762e21a53313e6a
SHA512a9c2258b520bcb3eee9d13ea7e67b09b752fe582e9ae0271cdf03a51e78c64f02f1155e2c5ae9eaad819cb44c7f011dbe71fc4f60902213f624292f439a897d0
-
Filesize
555KB
MD5494e82d5f7b6c35fadff449467c189f6
SHA10e815dba3e0f4e2a0b02ae31ea1110b585ab9383
SHA256a67bdbab80d246d6785435a60e68fd94327c0f40013b52f35762e21a53313e6a
SHA512a9c2258b520bcb3eee9d13ea7e67b09b752fe582e9ae0271cdf03a51e78c64f02f1155e2c5ae9eaad819cb44c7f011dbe71fc4f60902213f624292f439a897d0
-
Filesize
390KB
MD50b25832169450ab3c48b46e3fd950095
SHA113d2a962a6b8a6b74935a97c55e3587304a77fb8
SHA256f979afb000d9f1bf5754e799b6110c44d2ef153edd24c03f3ac7633d64f33037
SHA512207ebebaf765b34d5239b7cf931556e5631997f1f767b1f563774e2649b15902769070b94211ad254265f428f0cca64786ee0e0aafa1abb1611a75087f949b4c
-
Filesize
390KB
MD50b25832169450ab3c48b46e3fd950095
SHA113d2a962a6b8a6b74935a97c55e3587304a77fb8
SHA256f979afb000d9f1bf5754e799b6110c44d2ef153edd24c03f3ac7633d64f33037
SHA512207ebebaf765b34d5239b7cf931556e5631997f1f767b1f563774e2649b15902769070b94211ad254265f428f0cca64786ee0e0aafa1abb1611a75087f949b4c
-
Filesize
356KB
MD52394d979956c5b244ba343910d832f00
SHA15517e72200cf6097771dfa0e55d0aec6ea5e2f88
SHA256ca714c0a5cc3ebcdcf95e34d1b8e13436acfcefb9378cfac1b9dfc709adf62a3
SHA512d3685a1c56ca450ffb1ddd131fdce8fe88051f77500a3057b1e44d4652e79a79fe1d409560621c97aeda950a9436541c8e439e58944570ea64791de9e68bcf72
-
Filesize
356KB
MD52394d979956c5b244ba343910d832f00
SHA15517e72200cf6097771dfa0e55d0aec6ea5e2f88
SHA256ca714c0a5cc3ebcdcf95e34d1b8e13436acfcefb9378cfac1b9dfc709adf62a3
SHA512d3685a1c56ca450ffb1ddd131fdce8fe88051f77500a3057b1e44d4652e79a79fe1d409560621c97aeda950a9436541c8e439e58944570ea64791de9e68bcf72
-
Filesize
174KB
MD5a65f2b502e35f547453970e5af6eccd9
SHA1800e16a63b247de63630dcd1f55700b2a8d11cfc
SHA2561690c52b9657abbdee7ebc2ce6d7323733f32531e40084733d7ac0333a767ed7
SHA512c0d46d092f9fa8dac3e1783d0694d13bd2bde65d799b54a93b0ce5d04455a19fa4b892783a983c26133e6a48633d78123052fa3bb89170be17471c9705c7feaf
-
Filesize
174KB
MD5a65f2b502e35f547453970e5af6eccd9
SHA1800e16a63b247de63630dcd1f55700b2a8d11cfc
SHA2561690c52b9657abbdee7ebc2ce6d7323733f32531e40084733d7ac0333a767ed7
SHA512c0d46d092f9fa8dac3e1783d0694d13bd2bde65d799b54a93b0ce5d04455a19fa4b892783a983c26133e6a48633d78123052fa3bb89170be17471c9705c7feaf